Monitor Splunk Enterprise files and directories with the CLI
On Splunk Enterprise installations, you can monitor files and directories using the command line interface (CLI). To use the CLI, navigate to the
$SPLUNK_HOME/bin/ directory from a command prompt or shell, and use the
splunk command in that directory.
The CLI has built-in help. Access the main CLI help by typing
splunk help. Individual commands have their own help pages as well. Access that help by typing
splunk help <command>.
CLI commands for input configuration
The following commands are available for input configuration using the CLI:
||Monitor inputs from |
||Edit a previously added monitor input for |
||Remove a previously added monitor input for |
||List the currently configured monitor inputs.|
||Copy the source file directly into Splunk Enterprise. This uploads the file once, but Splunk Enterprise does not continue to monitor it.
||Copy the source file directly into Splunk Enterprise using the sinkhole directory. Similar to the |
CLI parameters for input configuration
Change the configuration of each data input type by setting additional parameters. To set parameters, use the syntax
You can set only one
-hostsegmentnum per command.
||Yes||Provide the path to the file or directory being monitored and uploaded for new input.
||No||Provide a |
||No||Provide the destination index for events from the input source.|
||No||Provide a host name to set as the host field value for events from the input source.
||No||Provide a regular expression to use to extract the host field value from the source key.
||No||An integer, which determines what "/" separated segment of the path to set as the host field value. If set to 3, for example, the third segment of the path is used.
||No||Provide a value for the |
||No||Set to true or false. Default is false.
This parameter is not available for the
Example 1: Monitor files in a directory
The following example shows how to monitor files in
/var/log/ as a data input:
./splunk add monitor /var/log/
Example 2: Monitor windowsupdate.log
The following example shows how to monitor the Windows Update log file where Windows logs automatic updates, sending the data to an index called
C:\Windows\windowsupdate.log as a data input:
splunk add monitor c:\Windows\windowsupdate.log -index newindex
Example 3: Monitor Internet Information Server (IIS) logging
This example shows how to monitor the default location for Windows IIS logging.
C:\windows\system32\LogFiles\W3SVC as a data input:
./splunk add monitor c:\windows\system32\LogFiles\W3SVC
Example 4: Upload a file
This example shows how to upload a file into Splunk Enterprise. Splunk Enterprise consumes the file only once. It does not monitor it continuously.
/var/log/applog on Unix or
C:\Program Files\AppLog\log.txt on Windows directly into Splunk Enterprise with the
add oneshot command:
You can also upload a file through the sinkhole directory with the
The result is the same with either command.
Monitor files and directories
Monitor files and directories with inputs.conf
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2106, 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209 (latest FedRAMP release)
Feedback submitted, thanks!